(Grav GitSync) Automatic Commit from RealStickman

pages/02.linux/19.step-ca/default.en.md

@@ -0,0 +1,57 @@
+---
+title: Step-CA
+---
+
+## Server
+```
+# podman run -d --name step-ca \
+    -v step:/home/step \
+    -p 9000:9000 \
+    -e "DOCKER_STEPCA_INIT_NAME=Demiurge" \
+    -e "DOCKER_STEPCA_INIT_DNS_NAMES=(hostname),(hostname2)" \
+    docker.io/smallstep/step-ca
+```
+Get the root ca fingerprint  
+`# podman run -v step:/home/step smallstep/step-ca step certificate fingerprint certs/root_ca.crt`  
+
+To view your ca password, run this command  
+`# podman run -v step:/home/step smallstep/step-ca cat secrets/password`  
+
+### ACME Server
+Enable ACME. Restart the server afterwards.  
+`$ step ca provisioner add acme --type ACME`  
+
+## Client
+Initialize the step-cli client  
+`step-cli ca bootstrap --ca-url https://(domain/ip):9000 --fingerprint (root_ca fingerprint)`  
+
+## Create Certificates
+> [Official documentation](https://smallstep.com/docs/step-cli/basic-crypto-operations)  
+{.is-info}
+
+Enter the container  
+`# podman exec -it step-ca bash`  
+
+### Client Certificate
+```
+step certificate create (cert name) client-certs/(cert name).crt client-certs/(cert name).key \
+    --profile leaf --not-after=8760h \
+    --ca certs/intermediate_ca.crt \
+    --ca-key secrets/intermediate_ca_key \
+    --bundle
+```
+
+Add SANs with the `--san=`-flag. Add multiple flags for multiple SANs.  
+
+### ACME
+Point your ACME client to `https://(domain/ip):9000/acme/(provisioner-name)/directory`  
+
+## Device Truststore
+### Arch Linux
+> [Archwiki Article on TLS](https://wiki.archlinux.org/title/Transport_Layer_Security#Add_a_certificate_to_a_trust_store)  
+{.is-info}
+
+Add new trust anchor  
+`# trust anchor (root ca.crt)`  
+List trust anchors  
+`$ trust list`